From mboxrd@z Thu Jan 1 00:00:00 1970 From: Eric Paris Subject: Re: [PATCH V2] audit: log 32-bit socketcalls Date: Fri, 13 Jan 2017 09:42:23 -0500 Message-ID: <1484318543.5300.1.camel@redhat.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit Cc: Kangkook Jee , Paul Moore , Steve Grubb To: Richard Guy Briggs , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, linux-audit@redhat.com Return-path: Received: from mx1.redhat.com ([209.132.183.28]:49422 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751653AbdAMOmZ (ORCPT ); Fri, 13 Jan 2017 09:42:25 -0500 In-Reply-To: Sender: netdev-owner@vger.kernel.org List-ID: On Fri, 2017-01-13 at 04:51 -0500, Richard Guy Briggs wrote: > 32-bit socketcalls were not being logged by audit on x86_64 systems. > Log them.  This is basically a duplicate of the call from > net/socket.c:sys_socketcall(), but it addresses the impedance > mismatch > between 32-bit userspace process and 64-bit kernel audit. > > See: https://github.com/linux-audit/audit-kernel/issues/14 > > Signed-off-by: Richard Guy Briggs > > -- > v2: >    Move work to audit_socketcall_compat() and use > audit_dummy_context(). > --- >  include/linux/audit.h |   16 ++++++++++++++++ >  net/compat.c          |   15 +++++++++++++-- >  2 files changed, 29 insertions(+), 2 deletions(-) > > diff --git a/include/linux/audit.h b/include/linux/audit.h > index 9d4443f..43d8003 100644 > --- a/include/linux/audit.h > +++ b/include/linux/audit.h > @@ -387,6 +387,18 @@ static inline int audit_socketcall(int nargs, > unsigned long *args) >   return __audit_socketcall(nargs, args); >   return 0; >  } > +static inline int audit_socketcall_compat(int nargs, u32 *args) > +{ > + if (unlikely(!audit_dummy_context())) { I've always hated these likely/unlikely. Mostly because I think they are so often wrong. I believe this says that you compiled audit in but you expect it to be explicitly disabled. While that is (recently) true in Fedora I highly doubt that's true on the vast majority of systems that have audit compiled in. I think all of the likely/unlikely need to just be abandoned, but at least don't add more? It certainly wouldn't be the first time I was wrong, and I haven't profiled it. But the function would definitely look better if coded static inline int audit_socketcall_compat(int nargs, u32 *args) { if (audit_cummy_context()) { return 0 } int i; unsigned long a[AUDITSC_ARGS]; [...] } > + int i; > + unsigned long a[AUDITSC_ARGS]; > + > + for (i=0; i + a[i] = (unsigned long)args[i]; > + return __audit_socketcall(nargs, a); > + } > + return 0; > +} >  static inline int audit_sockaddr(int len, void *addr) >  { >   if (unlikely(!audit_dummy_context())) > @@ -513,6 +525,10 @@ static inline int audit_socketcall(int nargs, > unsigned long *args) >  { >   return 0; >  } > +static inline int audit_socketcall_compat(int nargs, u32 *args) > +{ > + return 0; > +} >  static inline void audit_fd_pair(int fd1, int fd2) >  { } >  static inline int audit_sockaddr(int len, void *addr) > diff --git a/net/compat.c b/net/compat.c > index 1cd2ec0..f0404d4 100644 > --- a/net/compat.c > +++ b/net/compat.c > @@ -22,6 +22,7 @@ >  #include >  #include >  #include > +#include >  #include >   >  #include > @@ -781,14 +782,24 @@ COMPAT_SYSCALL_DEFINE5(recvmmsg, int, fd, > struct compat_mmsghdr __user *, mmsg, >   >  COMPAT_SYSCALL_DEFINE2(socketcall, int, call, u32 __user *, args) >  { > + unsigned int len; >   int ret; > - u32 a[6]; > + u32 a[AUDITSC_ARGS]; >   u32 a0, a1; >   >   if (call < SYS_SOCKET || call > SYS_SENDMMSG) >   return -EINVAL; > - if (copy_from_user(a, args, nas[call])) > + len = nas[call]; > + if (len > sizeof(a)) > + return -EINVAL; > + > + if (copy_from_user(a, args, len)) >   return -EFAULT; > + > + ret = audit_socketcall_compat(len/sizeof(a[0]), a); > + if (ret) > + return ret; > + >   a0 = a[0]; >   a1 = a[1]; >